Smith College Information Security Risk Assessment Checklist

Transcription

1 Smith College Information Security Risk Assessment Checklist This form contains a checklist for individual data handlers who are conducting an information security risk assessment of their work environment. The checklist is intended to provide you with options to consider in assessing information security risks. You and your department are encouraged to change, add, or delete specific and/or general items in the checklist to make the assessment more relevant to the specific environment and needs of your job or workplace. Please review the results of your assessment with your supervisor or manager. The ultimate goal of this process is for departments to develop plans and action items that will reduce their risk, help them align their business practices with risk management and compliance needs, and assist in evaluating a potential security breach event. Name: Location: Date: YES NO In summary, does the hard drive of your computer contain any legallyprotected personal information* or other classified information? If YES, please provide the following information: Desktop computers -> Ethernet computer identifier: Laptop computers -> Ethernet computer identifier: -> Wireless computer identifier: For instructions on finding your computer identifier(s), see:

2 For each item on the following checklist, please enter one of the following: Y = Yes N = No IP = In progress NA = Not applicable Overall Location Assessment: For each location Has this location been inspected for the presence of both physical and electronic classified information? Is any PI* data stored in this location? If yes, is there a continuing business need to keep the information in this location? If yes, is the location locked or monitored during normal business hours? If yes, is the location locked and/or monitored during non-business hours? If yes, can only authorized personnel access the location? If yes, is classified information stored in a secured enclosure? If no, is there a plan to move the information to an appropriate location? Or, is there a plan to securely remove or destroy the information? Physical Information Assessment: For any location in which classified information is stored or processed on physical media (e.g., paper, index cards, computer printout, etc.) Are there guidelines in place that specify who is granted access to classified information in this location? Is the information stored securely when not in use? Is there physical PI* data in this location? If yes, are there clear guidelines on how it is stored and accessed? If yes, are there clear guidelines for who is allowed to see or have copies of this information?

3 Electronic Information Assessment: For each computer you use in your location, please provide the following information. Computer type (Windows, Mac, other): Computer identifier (e.g., IP address, MAC address, or network name): Has the hard drive (C: drive) of this computer been scanned for PI* data using Identity Finder? Have all external devices used with this computer, including hard drives, thumb drives, and backup media, been scanned for PI* data using Identity Finder? Have you scanned your personal network drive (H: drive) for PI* data using Identity Finder? Did you find any PI* data? If yes, has the PI* data been reviewed with the relevant Data Custodian? If yes, have you decided what action to perform on the PI* data (e.g., shred, encrypt, scrub, move, or leave in place)? If yes, have all remediation steps been completed? Is any other classified information processed or maintained on this computer? If yes, has the data been reviewed by the relevant data custodian or their representative? Are any remediation steps required to ensure that only needed data is maintained? Are there clear guidelines in place for the storage and handling of the data?

4 Computer Security: Security considerations for all computer systems, including office desktops and laptops, that contain or process PI* data or other classified information Does the computer require a password on startup and wake from sleep mode? Does the computer have an idle timer set and a screen saver with password protection? Are system updates and security patch checks performed automatically by the system? Does the system have up-to-date virus and malware detection (e.g., McAfee VirusScan) installed? Are computer access passwords shared among several users? If yes, are there specific authorized user access controls for classified information? Are all files or folders containing confidential information protected by encryption or by at least two levels of passwords (e.g., workstation and network passwords)? Does the system have internal firewalls enabled and configured? Does the computer have a cable lock or other physical security protection? Does the computer have electrical surge or UPS protection? Is the computer used for other purposes not related to classified information? Laptops and Other Portable Devices: Additional considerations for laptop systems and other portable devices that contain or process PI* data or other classified information Are all files or folders containing PI* information encrypted? Do you carry and use a cable lock when traveling? Does your laptop have a lost/stolen system retrieval service installed (eg. CompuTrace)? For handheld devices, can the device be remotely wiped if lost or stolen? Are all removable storage devices stored in a secure location? Is there a procedure for securely destroying classified information from external storage? Is information about the laptop or other device recorded and maintained outside the device itself? If a laptop or other device is lost or stolen, it is very helpful to have its serial number, computer identifier(s), operating system type, and a list of files and folders containing classified information

5 Data backups: Security considerations for backed-up data Is important information on local drives backed up at regular intervals? Are the backups and backup media encrypted or stored in a secure location? Is there a defined retention period for backup media? Is there a procedure for securely destroying classified information from backup storage? Please enter any other comments or questions below:

Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege

Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

Last updated: March 4, 2014 Stable and Secure Network Infrastructure Benchmarks 501 Commons has developed a list of key benchmarks for maintaining a stable and secure IT Infrastructure for conducting day-to-day

Back to My Mac User s Guide This guide will help you access your remote Leopard-based Macs over the Internet using.mac. Overview Getting something from your Mac when you are away from home is a daunting

Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying

Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

Attachment A Form to Describe Sensitive Data Security Plan For the Use of Sensitive Data from The National Longitudinal Study of Adolescent to Adult Health Data Stored on a Windows Computer Connected to

HELPFUL TIPS: MOBILE DEVICE SECURITY Privacy tips for Public Bodies/Trustees using mobile devices This document is intended to provide general advice to organizations on how to protect personal information

Whittier Law School Law Library Cisco NAC Agent Wireless Installation Guide For Microsoft Windows In order to access the wireless network on campus, Microsoft Windows laptop users must go through the Cisco

Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure

Instructions This checklist can be used to identify gaps in compliance with MUSC's information security policies and standards, which are published on the Web at http://www.musc.edu/security. Each of the

As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

April 23, 2014 Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually. What is it? Electronic Protected Health Information There are 18 specific

Policy Title: HIPAA Access Control Number: TD-QMP-7018 Subject: Ensuring that access to EPHI is only available to those persons or programs that have been appropriately granted such access. Primary Department:

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:

Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

A Nemaris Company Formal Privacy & Security Assessment For Surgimap version 2.2.6 and higher 306 East 15 th Street Suite 1R, New York, New York 10003 Application Name Surgimap Vendor Nemaris Inc. Version

TADCASTER GRAMMAR SCHOOL Toulston, Tadcaster, North Yorkshire. LS24 9NB NETWORK AND INTERNET SECURITY POLICY STATEMENT Written by Steve South November 2003 Discussed with ICT Strategy Group January 2004

Mobile Working and Remote Access Policy Version 1.0 Date: 20 July 2009 Document History Version History 1.0 20 July 2009 Approved for publication by the IS Board after E&FC approval in June 2009 Title:

A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2

Attachment A Form to Describe Sensitive Data Security Plan For the Use of Sensitive Data from the National Longitudinal Study of Adolescent to Adult Health Data Stored on a Stand-Alone Computer All requests

Vendor Assessment Worksheet: A sample set of IT security controls for evaluation of third party vendors capacity to protect institutional research data 1 Table of Contents Executive Summary... 3 Vendor

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the

2011 NATIONAL SMALL BUSINESS STUDY The National Cyber Security Alliance has conducted a new study with Symantec to analyze cyber security practices, behaviors and perceptions of small businesses throughout

Rules of the Road for Users of Smithsonian Computers and Networks Introduction Smithsonian systems, networks and other computer resources are shared among Smithsonian employees, interns, visiting scholars,

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

Your Login ID: GETTING STARTED ON THE WINDOWS SERVICE A GUIDE FOR NEW STAFF MEMBERS CONTENTS 1.0 Introduction... 3 1.1 Welcome to Edinburgh Napier University from Information Services!... 3 1.2 About Information

University of San Francisco Acceptable Use Policy (AUP) & Agreement for POS Devices and PCI Network 1. Purpose University of San Francisco (USF) provides access to the PCI network for processing CASHNet

Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

2012 NCSA / Symantec National Small Business Study National Cyber Security Alliance Symantec JZ Analytics October 2012 Methodology and Sample Characteristics JZ Analytics was commissioned by the National

Massachusetts Identity Theft/ Data Security Regulations Effective March 1, 2010 Are You Ready? SPECIAL REPORT All We Do Is Work. Workplace Law. In four time zones and 45 major locations coast to coast.

Miami University Payment Card Data Security Policy IT Policy IT Standard IT Guideline IT Procedure IT Informative Issued by: IT Services SCOPE: This policy covers all units within Miami University that

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures to protect and secure a covered entity s electronic information

Using TS-ACCESS for Remote Desktop Access Introduction TS-ACCESS is a remote desktop access feature available to CUA faculty and staff who need to access administrative systems or other computing resources

End Point Security How to Secure Your Environment Learning Objectives Define Endpoint Security Describe most common endpoints of data leakage Identify most common security gaps Preview solutions to bridge

HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

Bring Your Own Device (BYOD) and Mobile Device Management tekniqueit.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks

Bring Your Own Device Save costs, deliver flexible working and manage the risks Gary Shipsey Managing Director 25 September 2014 Agenda Bring Your Own Device (BYOD) and your charity and how to avoid the

Below you will find the following sample policies: Antivirus and Malware Prevention Policy and Procedures (Template) Employee Personal Device Use Terms and Conditions (Template) *Log in to erisk Hub for

Bring Your Own Device (BYOD) and Mobile Device Management www.cognoscape.com Bring Your Own Device (BYOD) and Mobile Device Management People are starting to expect the ability to connect to public networks

SAFEGUARDING PRIVACY IN A MOBILE WORKPLACE Checklist for taking personally identifiable information (PII) out of the workplace: q Does your organization s policy permit the removal of PII from the office?